Mitarbeitende

Abstract

Lifestyle-tracking services, which rely on contextual and physiological data collected from sensors embedded in (wearable) connected devices, are now emerging in the wake of location-based services (LBS), in which mobile users with GPS-equipped connected devices obtain personalized services based on their locations. This new type of services is enabled by the ever-increasing number and variety of sensors embedded in connected objects (e.g., sleep-/heartbeat-rate or even EEG monitors) whose collection is facilitated by dedicated frameworks such as iOS’s HealthKit and Android’s GoogleFit. With potentially hundreds of millions of users, these services could become the “next big thing” in mobile and pervasive computing. Extensive researches on LBS have demonstrated the privacy risks related to location data. But this is just the tip of the iceberg: Compared to LBS, lifestyle-tracking activities raise many more complex and serious privacy threats, as pointed out in a recent report from the French National Commission on Informatics and Liberty (CNIL). Beyond recreational use (e.g., keeping track of one’s state and activities, following the trend of the quantified self, and sharing on social networks), lifestyle tracking has serious and sensitive applications; a typical example is health, illustrated by the collaboration of developers with medical clinics (e.g., Apple/Mayo Clinic) and insurance companies. Severe threats to privacy go hand-in-hand with the immense potential benefits of lifestyle-tracking applications, especially for the critical ones such as those concerning health. These threats are caused by the high amount and wide variety of collected data and by the sensitivity of the information that can be extracted from it. Due to the high commercial value of such data, there is no doubt that many stakeholders will be interested in collecting and exploiting it, as illustrated by the interest of insurance companies in activity trackers. Another worrisome possible application of such data is the use of the users’ heartbeat rates to monitor their reactions to specific external stimuli such as advertisement, which would be high-interest feedback. As lifestyle tracking enables sensitive applications, the utility aspects, which constitute a key counterpart of privacy, also significantly differ from recreational LBS: Coupled with an appropriate follow-up with a medical doctor, lifestyle-tracking applications can help detect conditions, possibly deadly, and thus have the potential to save their users’ lives.These drastic changes in the privacy and utility require a thorough investigation of lifestyle-tracking applications and the data they manipulate, as well as the design and implementation of efficient privacy-protection tools. This is precisely what the PrivateLife Project will achieve. Building on the strong expertise and complementarity of the consortium’s partners in the multiple facets of privacy protection (we have made key contributions to the privacy and utility of LBS and personalized medicine), the PrivateLife Project will address the unique privacy/utility trade-off that stems from the use of lifestyle-tracking services. More specifically, the goal of the PrivateLife Project is to build practical and usable privacy-protection tools by tackling all at once the problems of privacy and utility quantification, as well as that of system integration. To do so, we will take a principled approach: (1) We will rely on techniques from system design to integrate privacy-protection mechanisms into existing lifestyle-tracking devices and applications; (2) we will follow a privacy by design approach to propose new and alternative architectures and systems for lifestyle-tracking that rely on cryptographic primitives, obfuscation techniques and distributed algorithms ; (3) we will rely on statistical inference on theoretical models and data mining to quantify privacy by embodying curious adversaries; and (4) we will rely on machine learning and data-driven modeling to quantify utility by involving the users in the process through personalized surveys. Most of the aforementioned techniques are in the area of expertise of the partners; an advisory board is set-up to complement the expertise of the consortium in the topics that are relevant to the project.